Milwaukee, WI · Washington, DC · Boston, MA

  1. Crisis Mode
  2. Data Security Measures
    1. Preparing For The Inevitable
      1. Building a Data Breach Plan
        1. Planning for the Initial Response/Investigation
          1. Social Engineering
          2. Develop an Investigation Plan
          3. Involve Appropriate Company Resources
        2. Building a Notification Plan
          1. Understanding The Laws
            1. State Laws
          2. Who Must Be Notified?
          3. How Will Notifications Be Completed?
        3. Media Issues
          1. Media Plan
          2. Dealing With The Media
        4. Government Agency Issues
          1. Creating a Government Response Plan
          2. Dealing With Government Inquiries
          3. Developing Relationships
        5. Customer/Consumer Issues
          1. Customer Retention Plan
          2. Customer Response Plan
        6. Building Relationships with Vendors/Suppliers
      2. Implementing a Data Breach Plan
        1. Coordinating among Company Departments
        2. The Role of Legal Counsel
      3. Testing a Data Breach Plan
        1. Assessing the Plan
        2. Mock Exercises
        3. Alter/Update as Needed
      4. Assessing Your Data Breach Vulnerabilities
        1. Catalog Your Personal Information
        2. Developing a Company Training Process
        3. Understanding Privacy Promises
        4. Preparing for the Unexpected
        5. Assessments/Audits
        6. Establishing a Point of Responsibility
        7. The Role of Legal Counsel

Government Agency Issues

The most enduring fact about any data breach incident is that it will generate unwelcome scrutiny from government agencies. The Federal Trade Commission is the federal agency tasked with investigating data breaches. In fact, the FTC touts itself as the "nation's consumer protection agency." Among the states, the Attorneys General Offices are most likely the entities that will be calling to investigate your data breach incident. Some states may have specific departments devoted to investigating data breaches, but these are likely under the auspices of the state's Attorney General Office.

As the self-proclaimed watchdogs of consumer protection, the various government agencies will be looking to determine the severity of any data breach and whether further action on their part may be necessary. Obviously, the more serious the breach and the more consumer information is exposed, the more likely it is that a government agency will be interested in pursuing some action against your company.

Government action also poses risks of liability. The FTC, for example, may pursue actions against your organization based on a number of federal statutes, including its own inherent powers to prevent unfair or deceptive business practices. Depending on the extent of the breach and the data involved, the FTC may pursue damages or an order to require your organization to institute certain security procedures, or both. Or the FTC may be calling simply to gather data to assist in its efforts to track and monitor trends in data breaches.

Handling government inquiries in the appropriate way is therefore imperative to reduce the risk of adverse government investigations. To effectively deal with government agency issues, you should consider creating a Government Response Plan. Implementing that plan will allow you to effectively deal with inquiries by government agencies. Finally, you must consider developing relationships with the various agencies that may be interested in your data breaches.